Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.1: fix audit (backport of #4014) #4022

Merged
merged 1 commit into from
Dec 11, 2024
Merged

v2.1: fix audit (backport of #4014) #4022

merged 1 commit into from
Dec 11, 2024

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Dec 9, 2024

Problem

the audit failed. we need to upgrade idna to >= 1.0.0. however, the dep chain looks like:

jsonrpc-core-client v18.0.0 -> jsonrpc-client-transports v18.0.0 -> url v1.7.2 -> idna v0.1.5

and jsonrpc-core-client has not released any new version in the past 3y ...

Summary of Changes

ignore it as a stopgap


This is an automatic backport of pull request #4014 done by Mergify.

@mergify mergify bot requested a review from a team as a code owner December 9, 2024 19:24
(cherry picked from commit 6c86ce5)
@yihau yihau force-pushed the mergify/bp/v2.1/pr-4014 branch from b0c37a7 to 0d12b04 Compare December 10, 2024 11:10
@yihau yihau requested a review from joncinque December 11, 2024 04:15
@bw-solana
Copy link

Do we know we're not exposed to any false match issues? I'm a little hesitant to just ignore this without a concrete plan for how we're going to close the vulnerability..

Do we fork jsonrpc-core-client?

@joncinque
Copy link

In my view, the long term plan should be to move from jsonrpc to jsonrpsee, which is the async-based successor crate.

@t-nelson
Copy link

my assessment is that we are not vulnerable to technical attack because rpc only serves http, so we don't have any cert verification process to trick. one could claim that we are vulnerable to social attack via domain name aliasing, but i haven't convinced myself that's a problem with rpc rather than domain lookups generally

@t-nelson t-nelson merged commit aca7bbe into v2.1 Dec 11, 2024
19 checks passed
@t-nelson t-nelson deleted the mergify/bp/v2.1/pr-4014 branch December 11, 2024 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants